I am attempting do implement Tonic gRPC with mutual TLS. I generated a root cert with rcgen, generated a server cert with he same root and a client cert for testing. They're all ECCs PKCS_ECDSA_P384_SHA384.
When I try to test with Postman I get 14 Unavailable, and without cert I get 1 Canceled.
For ServerTlsConfig client_ca_root I am using the self signed root ca I generated. Both the server cert and the client certs are signed by this root ca.
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let config = config::load();
let conn = connection::get(&config.database).await;
let addr = format!("{}:{}", config.server.host, config.server.port).parse()?;
let cert = std::fs::read_to_string("rd_srv.pem")?;
let key = std::fs::read_to_string("rd_srv.key")?;
let server_identity = Identity::from_pem(cert, key);
let client_ca_cert = std::fs::read_to_string("rd_root.pem")?;
let client_ca_cert = Certificate::from_pem(client_ca_cert);
let tls = ServerTlsConfig::new()
.identity(server_identity)
.client_ca_root(client_ca_cert);
Server::builder()
.tls_config(tls)?
.add_service(HealthServer::new(HealthCheck {
connection: conn.clone(),
}))
.add_service(UsersServer::new(UserOperations {
connection: conn.clone(),
}))
.serve(addr)
.await?;
Ok(())
}
With tracing enabled I am getting the following error via Postman:
2023-03-22T15:38:43.236397Z DEBUG rustls::anchors: add_parsable_certificates processed 1 valid and 0 invalid certs
2023-03-22T15:38:44.498766Z DEBUG rustls::server::hs: decided upon suite TLS13_AES_128_GCM_SHA256
2023-03-22T15:38:44.501741Z DEBUG rustls::server::hs: Chosen ALPN protocol [104, 50]
2023-03-22T15:38:44.509749Z DEBUG tonic::transport::server::incoming: Accept loop error. error=tls handshake eof
And when I try via grpcurl I am getting the following error:
grpcurl -d '{}' -cacert rd_root.pem -cert rd_dev.pem -key rd_dev.key localhost:50088 list u.rd.users.Users/ListAllUsers
Error:
2023-03-22T16:30:08.009840Z DEBUG rustls::server::hs: decided upon suite TLS13_AES_128_GCM_SHA256
2023-03-22T16:30:08.010046Z DEBUG rustls::server::tls13::client_hello: Client unwilling to resume, DHE_KE not offered
2023-03-22T16:30:08.011567Z DEBUG rustls::server::hs: Chosen ALPN protocol [104, 50]
2023-03-22T16:30:08.020294Z WARN rustls::conn: Sending fatal alert HandshakeFailure
2023-03-22T16:30:08.020582Z DEBUG tonic::transport::server::incoming: Accept loop error. error=invalid peer certificate contents: invalid peer certificate: MissingOrMalformedExtensions
What could be my issue here and how do I fix it?
Are the certs badly generated or something else is the problem?
